Exiv2 through 0.27.1 allows an attacker to cause a denial of service (crash due to assertion failure) via an invalid data location in a CRW image file. Reference: https://github.com/Exiv2/exiv2/issues/841 https://github.com/Exiv2/exiv2/pull/842
Created exiv2 tracking bugs for this issue: Affects: fedora-all [bug 1728493]
Upstream patch: https://github.com/Exiv2/exiv2/commit/6212806b7637be683a56c769a8d905153996d933 [master branch] https://github.com/Exiv2/exiv2/commit/7798ae25574425271305fffe85de77bec8df03f1 [0.27-maintenance branch]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1577 https://access.redhat.com/errata/RHSA-2020:1577
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-13113